Privacy Policy

1. Introduction

MarketImpact Digital Solutions Ltd ("Meso", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Meso communication platform (the "Service").

We are a company registered in the Republic of Cyprus, and we process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Cyprus Law on the Protection of Natural Persons with regard to the Processing of Personal Data (Law 125(I)/2018).

2. Data Controller

The data controller responsible for your personal data is:

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Information You Provide

• Account Information: Email address, display name, and password (stored as a cryptographic hash)
• Profile Information: Optional profile picture
• Communications: Messages you send through the Service (encrypted in transit and at rest)
• Files: Images, documents, and voice messages you choose to share
• Payment Information: Transaction records for credit top-ups (payment details are processed by our payment provider, Revolut)
• Support Communications: Information you provide when contacting our support team

3.2 Information Collected Automatically

• Device Information: Device type, operating system, and browser type (for mobile app sessions only)
• Usage Data: Features used, call duration, and timestamps
• Connection Quality: Network quality metrics to optimise call performance

3.3 Information We Do NOT Collect

4. Legal Basis for Processing

We process your personal data on the following legal grounds under Article 6 of the GDPR:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service to you, including account management, messaging, and calling features
• Legitimate Interests (Art. 6(1)(f)): Processing for security, fraud prevention, and service improvement, where our interests do not override your rights
• Legal Obligations (Art. 6(1)(c)): Processing required to comply with applicable laws, such as financial record-keeping requirements
• Consent (Art. 6(1)(a)): Where you have given explicit consent for specific processing activities (you may withdraw consent at any time)

5. How We Use Your Data

We use your personal data for the following purposes:

• To create and manage your account
• To provide messaging, voice, and video calling services
• To enable PSTN (phone network) calling when you have sufficient credit
• To process payments and maintain transaction records
• To send service-related notifications (e.g., verification emails, security alerts)
• To provide customer support
• To detect, prevent, and address technical issues and security threats
• To comply with legal obligations

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy:

When you delete your account, we delete or anonymise your personal data within 30 days, except where retention is required by law.

7. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

7.1 Service Providers

We use trusted third-party service providers who process data on our behalf under strict contractual obligations:

• Neon (Database): PostgreSQL database hosting (EU servers)
• Vercel (Hosting): Application hosting and CDN
• Hetzner (LiveKit Server): Self-hosted video/audio infrastructure (Germany)
• Resend (Email): Transactional email delivery
• Revolut (Payments): Payment processing
• Telnyx (PSTN): Phone network connectivity
• Sentry (Error Tracking): Application error monitoring (no personal messages)

7.2 Legal Requirements

We may disclose your data if required by law or in response to valid legal process, including:

• Court orders or subpoenas
• Requests from law enforcement agencies with proper legal authority
• To protect our legal rights or defend against legal claims

We will notify you of such requests where legally permitted and will challenge requests we believe to be overly broad or unlawful.

8. International Data Transfers

Your personal data is primarily processed within the European Economic Area (EEA). When data is transferred outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding Corporate Rules where used by our service providers

Our primary infrastructure (database and LiveKit server) is hosted in the EU (Germany and other EU locations).

9. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR:

To exercise any of these rights, please contact us at privacy@meso.cy. We will respond within 30 days as required by law.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• All data is encrypted in transit using TLS 1.3
• Passwords are hashed using Argon2, a secure cryptographic algorithm
• Database connections require SSL
• Access controls and authentication for all systems
• Regular security assessments and monitoring
• Rate limiting to prevent abuse
• Account lockout protection against brute-force attacks

11. Cookies and Similar Technologies

We use minimal cookies necessary for the Service to function:

We do not use tracking cookies, advertising cookies, or third-party analytics that track individual users. We do not participate in cross-site tracking.

12. Children's Privacy

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice (such as an email notification).

We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after any modifications indicates your acceptance of the updated policy.

14. Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. In Cyprus, this is:

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: